My bad. In fact, it seems that if you have a share$ (As opposed to a share - without dollar-sign), then it's not 'visible' regardless of permissions. Nick -----Original Message----- From: W. Andy Roche [mailto:andy.roche@xxxxxxxxxxxxxxxxxx] Sent: 19 January 2006 14:06 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: [OT] NTFS Share/File Security Nick, I don't think that what you said about the share being "not visible" is correct. The share$ can still be enumerated, but not connected to by any user even though they don't have the rights to connect to it. Denying a user permission to a share is only restricting their ability to connect to, and use, that share. The upside of that is that the user cannot connect and enumerate the directories in the shared area. We have found a happy medium ground in that we don't make shares open to "everyone", but only domain users, or a specific group. This keeps the auditors from busting our chops about the ability to enumerate directory names. We then provide the full restrictions at the NTFS level. Andy Roche -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Smith Sent: Thursday, January 19, 2006 2:30 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: [OT] NTFS Share/File Security If you deny permissions on a share$, then it is not *visible* to the denied user, while this effect does not occur with NTFS permissions. I've known people who specifically want to hide the existence of a particular share and this would be the way to do it. In general security terms, it means a hacker cannot exploit something they can't see. Nick -----Original Message----- From: Arthur Reyes [mailto:ARTADMIN@xxxxxxxxxxxxx] Sent: 18 January 2006 23:59 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: [OT] NTFS Share/File Security I'd also add that these are file servers only. They are not terminal servers, where someone other than a "Domain Admin" would be able to TS into the server. --- Original Message --- From: "Arthur Reyes" <ARTADMIN@xxxxxxxxxxxxx> To: thin@xxxxxxxxxxxxx Subject: [THIN] [OT] NTFS Share/File Security >I have a client that is in the process of adopting best practises for >File sharing on their MS 2003 File Servers. They have been informed >that ACLs need to be set both on the Share and on the Folder itself. >ie. > >Share$ = ShareUsers:Full >D:\Share = ShareUsers:Full > >For the life of me, I can't understand why anyone would do this. > I've reviewed groups and share permissions, and I see no scenario >where the more liberal share permission vs. the more restrictive NTFS >permission would somehow grant a group of users more or less access >than is intended. Nor do I know of a vulnerability or exploit where >one type of permission can be hacked while preserving the other kind of >permission. All I do see, is convoluted a security practise and >administrative overhead, with no net gain. > >Age and experience has taught me that I can't possibly know everything, >so I present to you, the illustrious masters this question. Can anyone >think of a reason >(exploit/vulnerability/whatever) why you would set Share permissions >and NTFS permissions when using one or the other would not result in >more or less permissions than intended? > >I'm baffled. > >************************************************ >For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation >mode use the below link: >//www.freelists.org/list/thin >************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************